Record-breaking DeFi exploit in 2026: How KelpDAO lost $294 million across 20+ chains
On 19 April, the liquid staking protocol KelpDAO suffered one of the most devastating decentralized finance exploits of 2026. In less than an hour, attackers managed to siphon off around $294 million, dealing a heavy blow to a project that previously boasted roughly $1.57 billion in total value locked (TVL).
The primary target was KelpDAO’s Restaked ETH (rsETH), a liquid restaking token designed to operate across multiple networks. On-chain data shows the attacker managed to mint 116,500 rsETH, worth about $294 million at the time. These freshly minted tokens were then used as collateral to borrow 106,467 ETH, rapidly draining liquidity before the protocol could fully react.
KelpDAO’s team did move fast by DeFi standards, halting the protocol approximately 46 minutes after the exploit began. However, by that time the critical damage had already been done: the attacker had secured control over the borrowed ETH and destabilized rsETH liquidity across more than 20 chains where the token is integrated.
—
LayerZero’s role: a crucial bridge turned attack vector
A deeper post-incident analysis pointed to LayerZero, a popular cross-chain messaging layer, as the key infrastructure that made the exploit possible. In this case, LayerZero functioned as a bridge for rsETH between KelpDAO and other chains.
The attacker appears to have submitted instructions that passed LayerZero’s validation checks, effectively tricking the messaging layer into treating malicious messages as legitimate. With those seemingly valid packets, the exploiter was able to receive 116,500 rsETH from KelpDAO’s bridge contracts, despite not depositing the corresponding value.
This technical breakdown underscores a recurring theme in DeFi: even when individual protocols are audited, complex dependencies on third-party cross-chain systems can introduce hidden attack surfaces.
As the news spread, LayerZero’s native token, ZRO, came under heavy selling pressure. Over the span of 24 hours, ZRO fell more than 22%, dropping to about $1.52 after having traded above $2 just two days earlier. The price crash amplified the financial fallout far beyond KelpDAO’s ecosystem.
LayerZero’s team stated that they are in “active remediation” with KelpDAO, working to understand the precise mechanics of the exploit and plan next steps for users affected by the incident.
—
Whale liquidations and cascading losses
The KelpDAO exploit did not just impact protocol treasuries and liquidity pools; it also hit individual traders hard, particularly large holders of ZRO.
One notable whale, who held a substantial long ZRO position on the derivatives platform Hyperliquid, was caught on the wrong side of the violent price move. The rapid drawdown led to liquidation events totaling approximately $2.88 million. Although the trader is reportedly still maintaining an open position, unrealized losses of around $750,000 have already accumulated, with the overall exposure swinging deep into the red.
This single case illustrates how intertwined derivatives markets, token prices, and protocol security have become: a security failure in one part of the ecosystem can quickly spiral into forced liquidations and heavy losses for leveraged traders elsewhere.
—
Is this the biggest DeFi hack of 2026?
Many observers have already labeled the KelpDAO attack as the largest DeFi exploit of 2026 so far, both in terms of total funds compromised and its ripple effects.
One major reason is the multi-chain footprint of rsETH. The token operates across more than 20 networks, including multiple Ethereum Layer 2s. Once news of the exploit hit, holders rushed to redeem or offload their rsETH to minimize exposure. This sudden wave of redemptions and selling likely intensified pressure on remaining liquidity pools and bridged assets, particularly on Ethereum itself.
What started as an attack on a single protocol quickly evolved into a systemic liquidity crunch. Panic-driven behavior, alongside automatic risk controls on integrated platforms, contributed to a broader market shock.
—
Liquidity stress prompts protocol freezes
In response to the unfolding crisis, several major DeFi protocols moved swiftly to freeze or limit certain features to prevent further contagion.
– The Aave team temporarily paused Aave V3 and Aave V4 markets to contain risk.
– AAVE, the protocol’s native governance token, sank over 20% in the 24 hours following the freeze, trading near $92.06.
– Large AAVE holders began unloading their positions almost immediately after the hack became public, intensifying sell pressure.
Even projects with no direct exposure to rsETH decided not to take any chances. Ethena (ENA) announced that, despite not being affected by the KelpDAO exploit, it would pause its LayerZero OFT (omnichain fungible token) bridges from Ethereum mainnet as a precautionary measure. ENA’s price reacted with a comparatively modest drop of just over 3%, underscoring market sensitivity but also showing a more contained reaction relative to AAVE and ZRO.
Lido Finance, a dominant player in the liquid staking segment, adopted a similar defensive approach, tightening controls around cross-chain interactions in the wake of the breach. The coordinated response from these major protocols highlights a growing consensus: when a cross-chain exploit hits, even projects that are “unaffected” on paper feel obliged to review and sometimes temporarily restrict their own infrastructure.
—
A brutal fortnight for DeFi: more than $600 million drained
The KelpDAO attack is part of a broader surge in high-value exploits hitting DeFi in early 2026. Over just two weeks, more than $600 million has been stolen across more than ten different protocols.
Recent incidents include:
– Rhea Finance – Lost about $18.4 million in an exploit linked to a slippage-related vulnerability.
– CoW Swap – Suffered a front-end attack, where users interacting with the interface were routed into malicious transactions.
– Drift Protocol – Faced a massive $285 million drain, placing it among the largest protocol-level losses of the year.
– Zerion – Experienced a smaller but still significant $100,000 theft stemming from compromised “internal company hot wallets.”
Taken together, these events reveal an escalation not just in the frequency of attacks, but in the sophistication and scope of illicit operations. Attackers are increasingly adept at probing and exploiting weak spots across application logic, governance, front-ends, and cross-chain infrastructure.
—
Why cross-chain design has become DeFi’s Achilles’ heel
The KelpDAO exploit underscores a structural problem in decentralized finance: the more interoperable a protocol becomes, the more complex and fragile its security model often is.
Cross-chain messaging layers and bridges like LayerZero are designed to allow assets and information to flow seamlessly between networks. However, this convenience comes at a cost:
– Expanded attack surface – Every additional chain, adapter, and contract increases the number of potential failure points.
– Complex trust assumptions – Users often assume these systems are “trustless,” but in practice they rely on sophisticated validation logic, oracles, and off-chain infrastructure.
– Difficult risk assessment – Even if a core protocol is audited, its dependencies might not be, and interactions between multiple audited systems can create unforeseen vulnerabilities.
As more protocols rely on shared cross-chain infrastructure, a single design flaw or implementation bug can propagate risk across many projects simultaneously, turning one exploit into an ecosystem-wide crisis.
—
Lessons for protocols: building resilience beyond audits
For DeFi teams, the KelpDAO incident provides several urgent takeaways:
1. Holistic security reviews
Security efforts cannot end at the smart contracts living on one chain. Teams need to evaluate all dependencies, including bridges, oracles, and off-chain services. Joint audits with cross-chain providers and regular security exercises are becoming essential.
2. Granular circuit breakers
KelpDAO did pause operations within 46 minutes, but more granular “circuit breakers” could help mitigate damage faster. Examples include per-chain limits, per-transaction caps, and automated anomaly detection that halts suspicious minting or bridging in real time.
3. Segmentation of liquidity
Spreading liquidity too thinly across dozens of chains can amplify contagion. Segregated pools, conservative caps on bridged supply, and staggered expansion may help limit the blast radius of any single exploit.
4. Transparent, rapid communication
Markets react swiftly-often before teams release official statements. Having pre-built incident response plans and communication templates can help prevent panic, maintain some user trust, and coordinate with integrators more effectively.
—
Strategies for users and traders: managing rising protocol risk
For everyday DeFi participants and professional traders, the recent wave of attacks highlights the need to treat protocol risk as seriously as market risk:
– Diversify protocol exposure – Avoid concentrating a large share of your portfolio in a single liquid staking or restaking solution, particularly if it is deeply embedded in multiple cross-chain setups.
– Limit reliance on leverage – When a token is tied to complex infrastructure, extreme price swings are more likely in the event of a breach. High leverage in such assets can quickly turn catastrophic.
– Monitor protocol health indicators – TVL changes, bridge pauses, and governance announcements can signal stress before prices fully react. Active monitoring tools and alert systems can help users respond more quickly.
– Understand redemption mechanics – Know how and when you can exit positions, especially for liquid staking tokens. If redemptions can be delayed or capped during crises, your real risk might be higher than you assume.
—
Could regulation reshape DeFi’s security landscape?
As losses mount into the hundreds of millions, regulators worldwide are paying closer attention to how DeFi protocols operate and protect user funds. While the sector is still largely unregulated in many jurisdictions, large cross-chain events like the KelpDAO exploit are likely to accelerate policy discussions.
Potential impacts could include:
– Minimum security and disclosure standards for protocols above certain TVL thresholds.
– Liability expectations for teams relying on third-party infrastructure such as bridges and messaging layers.
– Stricter oversight of custodial entities and centralized gateways that interact with DeFi protocols, given their role in amplifying or mitigating systemic risk.
Whether such measures would meaningfully improve security without stifling innovation remains an open question. However, it is clear that as DeFi grows in scale and importance, the tolerance for repeated nine-figure hacks will continue to shrink.
—
What this means for the future of liquid staking and restaking
Liquid staking and restaking protocols have become central pillars of the Ethereum ecosystem and beyond. They provide yield opportunities and capital efficiency but at the cost of added complexity and correlated risk.
The KelpDAO exploit will likely push the sector to evolve in several directions:
– Stronger emphasis on native solutions – Protocols may prioritize designs that minimize reliance on external bridges, instead leveraging in-protocol mechanisms or more conservative interoperability models.
– Risk tranching and insurance – Expect greater experimentation with token structures that separate “senior” and “junior” tranches, alongside decentralized insurance or coverage products to absorb exploit-related shocks.
– More conservative integrations – Leading protocols may slow down integrations of new liquid restaking tokens, requiring more rigorous due diligence and longer track records before accepting them as collateral.
In the short term, users could see reduced yields or stricter limits as protocols recalibrate, but in the longer run, such adjustments may lay the groundwork for a more robust and sustainable DeFi ecosystem.
—
Final takeaway
The $294 million KelpDAO exploit stands out not only because of its raw size, but because of the way it rippled across 20+ chains, dragged down major tokens like ZRO and AAVE, and forced even “unaffected” protocols to hit pause on critical infrastructure. It is a stark reminder that DeFi’s greatest strength-composability across chains-can quickly become its greatest weakness when security assumptions fail.
With more than $600 million lost across multiple attacks in just a few weeks, 2026 is shaping up to be a defining year for DeFi security. Whether the industry responds by building more resilient architectures and risk frameworks, or continues to repeat the same patterns, will determine how long users are willing to trust their capital to these experimental financial systems.